Risk management aims to manage uncertainty and includes actions taken to identify, assess, monitor and reduce the impact of risks to your business. On the risk analysis matrix find the intersection of the likelihood and consequence ratings selected for the risk. Eliminate the risk by discontinuing the activity or removing the hazard such as not undertaking the activity that is likely to trigger the risk.
The level and type of risk that you need to consider will vary with the type of business you operate.
Commercial: includes the risks associated with market placement, business growth, diversification and commercial success.
From free Business Basics workshops to more specialised workshops and one-to-one advisory sessions, we can provide support – directly and through our partner organisations.
Following the BIA and risk assessment, the next steps are to define, build and test detailed disaster recovery plans that can be invoked in case disaster actually strikes the organisation’s critical IT assets.
Supply chain disruptions present a key risk, said Susan Young, MBCI, a risk management professional with a London-based insurance company.
Water damage is a key risk to organisations in the UK, and sometimes the source can be so obvious it gets overlooked, said 2C’s Barnes. A BIA attempts to relate specific risks to their potential impact on things such as business operations, financial performance, reputation, employees and supply chains. In the risk analysis matrix select the description that best describes the consequences of the risk (with existing control measures in place).
Through preventative maintenance, or quality assurance and management, change in business systems and processes. The final column lists the product of likelihood x impact, and this becomes your risk factor.
For example, in the Lloyd's insurance market in London, all businesses depend on a firm called Xchanging to provide premiums and claims processing.
Next, the risk assessment examines the internal and external threats and vulnerabilities that could negatively impact IT assets. On the other hand, the issue of operational risk has become more important in recent years.
Methodologies for managing and evaluating operational risk in information systems that bypass the constraints of VaR have been developed. This paper presents a comprehensive methodology that helps the auditor to overcome the numerous qualitative parameters of the operational risk in e-banking. In the suggested methodology, the auditors perform a survey on e-banking's operations and define critical areas of risk exposure.
The auditor has enough expertise to review the e-banking processes and identify key risk areas and factors. The reliability of the results depends on the degree to which both the risk analyst and the business users actively participate in the process. It is relatively easy for an auditor with average expertise to identify key risk areas and factors. It is easy for business users to assess risk exposure by assigning a grade from zero to three for each key risk factor, according to their own subjective criteria. It integrates the knowledge and objectivity of an external auditor with the knowledge and expertise of the business users.
All business users contribute to the survey, which, on average, makes the final result unbiased. The risk analysts have to prepare a report in which they describe the bank's strategic goals in the context of e-banking. At the end of this stage, the auditor must be in a position to identify for further investigation the residual risk and assess the areas where the risk is eliminated or is insignificant, as well as the areas where the risk is relatively high. Risk analysts must directly contact the business users who are involved in the e-banking business processes.
The BU activity form is used to record the major business processes in which the BU is involved. Analysts aggregate the information, and use their judgment and expertise to determine the key risk factors (KRFs) that are considered to be critical for the determination of the bank's operational risk exposure.
After receiving all the RAFs from the users, the analysts must copy the rates of each user in the application risk assessment form (ARAF). The final step of data processing is the measurement of risk that is related to the technical infrastructure. Eventually, after the risk analysis has been completed, the analysts will be in a position to understand the risk structure of the e-banking service and identify those areas with high risk exposure. Overview—There will be an overview of the functionality of the e-banking service and a generic assessment of the risk exposure. Risks per function—There must be a short description of the most risky areas of e-banking according to the findings from the analysis.

Technical infrastructure risks—A summary of the technical infrastructure used and its risk exposure are presented.
On the other hand, IS auditors have developed tools that enable them to assess and visualize operational risk. 1 The rows of figure 5 are filled with the answers of each business user in each business unit. Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA.
A good risk management plan with appropriate risk management strategies can minimise costly and stressful problems, and may also reduce insurance claims and premiums.
Go to the legend on the risk analysis matrix and find the risk priority corresponding to the risk rating determined above. You may already be doing all reasonable things to reduce the risk but it can’t be completely eliminated.
Reputation: entails the threat to the reputation of the business due to the conduct of the entity as a whole, the viability of product or service, or the conduct of employees or other individuals associated with the business.
Disaster recovery risk assessment and business impact analysis (BIA) are crucial steps in the development of a disaster recovery plan. Detailed response planning and the other key parts of disaster recovery planning, such as plan maintenance, are, however, outside the scope of this article so let us get back to looking at disaster recovery risk assessment and business impact assessment in detail. BIA outputs should present a clear picture of the actual impacts on the business, both in terms of potential problems and probable costs. Even if the existing control measures are adequate you need to regularly review whether anything has changed which may impact on the risk issues you have identified. Those events with the highest risk factor are the ones your disaster recovery plan should primarily aim to address. These methods are a mix of expert opinion and self-assessment methodologies, with the use of risk factors as an index for the level of risk.
Then, they set the framework for the survey and prepare questionnaires for the business users to self-assess the level of risk exposure.
Despite its subjectivity, the methodology can give unbiased results if enough business users are involved in the process. Nevertheless, if the auditor asks all the business users of e-banking to assess the risk exposure, the final result, on average, is unbiased and reveals the real level of risk exposure.
In the first column, analysts list the key e-banking functions and in the second column they list, for each function, all of the risks that have been identified without taking into account any controls or points of risk mitigation that may have been applied to reduce risk exposure (inherent risks).
The SWOT analysis will be used to identify the level of operational risk to which the bank is exposed. Analysts use their professional expertise to evaluate the findings of the review process to identify key risk factors and sensitive areas for further investigation. Moreover, analysts conduct a first assessment of the level of risk exposure and identify sensitive areas for further investigation. It is obvious that risk analysts will end up with a set of KRFs that depend on both the environment and their own experience. The tool for this process is the risk assessment form (RAF), a questionnaire prepared by the auditor and shipped to each business user of e-banking (figure 4). This form has the format of a double-entry matrix similar to the RAF, where rows and columns are transposed.
The tool for this kind of measurement is the technical infrastructure risk assessment form (TIRAF). In the column next to functions, the average risk per function, as it has been calculated in the ARAF, is placed. At the final step of the risk analysis process, they prepare a report for the project sponsors (in this case, the top management) where the findings are summarized. For each area, the analysts must list the causes and the KRFs that yield to high risk exposure, and make proposals for actions or business process reengineering that will moderate the risk exposure.
The analyst must present how the KRFs affect the risk exposure of the technical infrastructure and propose control mechanisms and actions that should be taken to reduce risk exposure. He has more than 10 years of IT and banking experience, specifically in project management, business analysis and IS design. This step involves analysing the likelihood and consequences of each identified risk using the measures provided.
Once the proposed controls are completed reassess the risk by conducting regular risk reviews – and reviewing the progress and effectiveness of your selected risk strategies. Operational: covers the planning, operational activities, resources (including people) and support required within the operations of a business that result in the successful development and delivery of a product or service. Adapted with permission from the BCM Lifecycle developed by the Business Continuity Institute. Working with IT managers and members of your building facilities staff as well as risk management staff if you have them, you can identify the events that could potentially impact data centre operations.

2C Consulting’s Barnes said a key aim of the BIA should be to define the maximum period of time the business can survive without IT.
However, there are some common categories which you can use to guide your thinking and the development of your risk management plan.
The business users assess the level of risk by answering a structured questionnaire, which is previously set by the auditors.
The second column includes all points of mitigation and control mechanisms that have been applied to reduce every one of the risks identified previously. The call for the interview should take the form of a letter, from the auditor to the head of the department, asking for a meeting to discuss the functionality and duties of the business unit in relation to e-banking.
For each row (function), its average risk rate is moved to the right, under those pieces of technical infrastructure used by the specific function. Thus, the use of an advanced measurement approach (AMA) for the calculation of operational risk exposure is either difficult or impossible. Rate the effectiveness of existing controls in preventing the risk from eventuating or minimising its impact should it occur. Security: includes the overall security of the business premises, assets and people, and extends to security of information, intellectual property, and technology. Traditional IT employees need to understand the big business picture and what the cloud offers to remain relevant. This extends from individual safety, to workplace safety, public safety and to the safety and appropriateness of products or services delivered by the business. Nevertheless, these directives usually focus on a passive approach, since they do not try to actively measure operational risk but rather describe the tools that can be used to minimize it—perhaps because of regulators' worldwide focus on the measurement of Value at Risk (VaR). Nevertheless, the combination of the expertise of a risk analyst with that of the system users can quantify, at a high level of confidence, the operational risk that the bank is exposed to and indicate critical areas for further investigation.
Afterwards, the auditors' responsibility is to collect the answers and put them into spreadsheets to calculate the risk exposure by area. The auditor can identify key risk areas but does not know in detail the daily operations, while the business users know the daily operations but not the total picture. At the bottom of the spreadsheet, the average risk rate per PTI is calculated, as are the number of functions that use each PTI.
The main tools for the application of these methods are the interview with key business users and the professional experience of the auditor. Learn more about risk management and develop a risk management process as part of your day-to-day operations.
In the risk analysis matrix select the description that best describes the likelihood of the risk occurring (with existing control measures in place). It extends to internal operational projects, projects relating to business development, and external projects such as those undertaken for clients. The VaR methodology translates the level of risk into monetary units while it requires extensive historical data to calculate variability and probabilities (loss data).
Additionally, the business users may have an interest to hide certain risks from the auditor to make their job easier.
Each rating indicates different levels of risk exposure, with zero as the minimum and three as the maximum.
When you understand about potential risks, you can start developing risk minimisation strategies. This extends to recognising the need for and the cost benefit associated with technology as part of a business development strategy.
Pay attention to risk warning signs, this may even be anything that concerns you about business finances.
Additionally, operational risk in e-banking is related to a number of qualitative factors that are very difficult to quantify.
But, before we look at them in detail, we need to locate disaster recovery risk assessment and business impact assessment in the overall planning process.
The speed at which IT assets can be returned to normal or near-normal performance will impact how quickly the organisation can return to business as usual or an acceptable interim state of operations.
The results of the BIA should help determine which areas require which levels of protection, the amount to which the business can tolerate disruptions and the minimum IT service levels needed by the business. The BIA identifies the most important business functions and the IT systems and assets that support them.